Moodle plugins directory: Multi-factor authentication
This is a Moodle plugin which adds Multi-Factor authentication (MFA), also known as Two-factor authentication (2FA) on top of your existing chosen authentication plugins.
Why another MFA plugin for Moodle?
There are other 2FA plugins for moodle such as:
This one is different because it is NOT a Moodle authentication plugin. It leverages new API's that Catalyst specifically implemented in Moodle Core to enable plugins to augment the login process instead of replacing it. This means that this MFA plugin can be added on top of any other authentication plugin resulting in a much cleaner architecture, and it means you can compose a solution that does everything you need instead of compromising by swapping out the entire login flow.
See this tracker and the dev docs for more info:
The other major difference is that we support multiple authentication factor types as sub plugins, eg IP Range, Email, TOPT and in future others such as SMS or hardware tokens or anything else as new sub-plugins. They can be flexible configured so that different combinations of factors are considered enough.
The MFA has multiple sub-plugins for each type of factor. Different factors can be combined and checked in a specific order. See the plugin readme for the full details:
For more information, consult the readme:
Thank you for your response!
Another question: Is there a method to give a priority between several methods all set to 100?
E.g. mail and TOTP-methods active, but I prefer the TOTP and want mail only as backup? How would I tell Moodle in this case that my portable is low on batt ;) ?
Fully understood - but: Stupid me is unable to find the "table of factors". Please enlighten!
Now my question, I am trying to develop a subplugin (a factor) that enables user login if connnection attempt comes from same IP of last succesful login. My way of implementing that is based on a observer listening to event 'core\event\user_loggedin' and I try to declare observer in /admin/tool/mfa/factor/mynewfactor/db/events.php but apparently Moodle ignores that. am I right if I suppose that db-events scheme doesn´t work for factor subplugins?
Thanks again very much in advance,
luis (from sunny Spain)
@j. luis simon I recommend implementing this instead as a callback using $factor->post_pass_state() method, and override this method in the new factor class. It is invoked every time authentication passes, so you can use this to store the IP of the user, which can be used in comparison at next lookup. I would be really careful with IP in general, there are many many conditions that can make IP change between requests (proxy, ISP etc)
@Peter Kelly Currently there is no way to override this by default, however you could change the language strings in a custom language pack, or override it in your site theme.
@Hanspeter Rutschmann The table lives here /admin/settings.php?section=managemfa
It looks like user filtering factors is what you need. You can target your admins / teachers by their auth type, roles, capabilities. Please refer to plugin docs: https://github.com/catalyst/moodle-tool_mfa#user-filtering-factors
The only thing that I found a bit puzzling in the start was parts of the documentation.
1. Do NOT enter any settings in the configuration dialog when installing. You are not logged inn yet and you may lock yourself out. (This is written at the bottom of the README on git hub).
2. To access the configuration dialog, go to "System administration", tab "Plugins", section "Admin tools", item "Multi-factor authentication".
3. The user's QR code is found under the user's profile (icon on top right of Moodle window), "Preferences", "Multi-factor authentication preferences"
Everything else works like a charm. Good help texts for the users. Works very well. Highly recommended.
Is it possible to make your plugin work with microsoft's Authenticator app?
Yes the application works with Microsoft authenticator, in TOTP mode via a QR code.
Its not currently tenancy aware. We have had some passing interest in getting it there, but we haven't had a sponsor or the time to put towards it currently.